Risk Management Policy

1.Purpose of this document
1.1 This risk management policy forms part of the company internal control and corporate governance arrangements.
1.2 The policy sets out the company definition of risk and describes the purpose of risk management. It explains the company underlying approach to risk management and documents the roles and responsibilities of key parties. It outlines how the risk management process fits into the overall system of internal control and identifies the main reporting procedures. Finally, it describes the process Council will use to evaluate the effectiveness of the company internal control procedures.

2.Definitions and the purpose of risk management
2.1. A risk can be defined as ‘anything that can impede or enhance the organisation’s ability to achieve its objectives’.
2.2. Risk Management can be described as the process, structure and culture put in place to identify, assess and control the uncertainties, incident, which may impact on the company ability to achieve its objectives.
2.3 Effective risk management is essential to the continuation, growth and prosperity of the company in line with its strategic objectives. It is not a process for avoiding risk. If used well, it will actively allow the company to take on activities with a higher level of risk because the risks have been identified, are understood and well managed, and the residual risk is thereby lower.


3. Underlying approach to risk management
The following key principles outline the company approach to risk management:
3.1 The company adopts an open and receptive approach to the management of risk.
3.2 Risk management is intrinsic to the management of the company business and not simply a compliance issue.
Risk management requires a proactive rather than a reactive approach.

4.Role of Board of Directors
Council has responsibility for overseeing risk management within the company as a whole. Its role is to:
4.1 Set the tone and influence the culture of risk management within the company.
4.2 Determine the appropriate risk appetite or level of exposure for the company.
4.3 Approve major decisions which may affect the company’s risk profile or exposure.

5.Role of the Audit Committee
On behalf of Council, the Audit Committee is responsible for:
5.1 Ensuring that appropriate arrangements are in place to ensure that risks are identified, assessed and effectively managed.
5.2 Monitoring the management of significant risks which could threaten the achievement of the company’s strategic objectives.
5.3 Annually reviewing the company approach to risk management and risk management framework.
5.4 Ensuring that internal auditors have plans to review the adequacy and effectiveness of risk management and are able to provide an annual assessment of the company risk management arrangements.

6. Role of the Executive Board Key
roles of the Executive Board are to:
6.1 Implement policies approved by Council on risk management and internal control.
6.2 Be responsible for the company High Level Risk Register (HLRR), specifically:- To identify and evaluate the significant risks faced by the company. To assign ownership of risks. To ensure that appropriate actions are taken to mitigate risks.
6.3 Ensure that the less significant risks (i.e. those which are managed at sites/Department Level and do not appear on the High Level Risk Register) are actively managed, with appropriate controls in place and working effectively. Provide adequate information in a timely manner to Council, Audit and Finance Committee’s on the status of risks and controls.

7. Risk management as part of the system of internal control
7.1 The system of internal control incorporates risk management. This system encompasses a number of elements that together facilitate an effective and efficient operation, enabling the company to respond to a variety of operational, financial, and commercial risks. These elements include:

a. Strategies, policies and procedures
The company has a series of strategies, policies and procedures that underpin the internal control process. Key strategies and policies are approved by the company Council and implemented and communicated by senior management to staff.

b. Company planning and budgeting
The company planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress towards meeting plan objectives is monitored regularly.

c. High level risk registers (significant risks only).
The company’s high level risk register is compiled by the Executive Board and helps to facilitate the identification, assessment and on-going monitoring of risks significant to the institution, including action taken to mitigate risks. The document is formally appraised annually but emerging risks are added as required and mitigating actions and risk indicators are monitored regularly and updated as appropriate. The high level risk register is discussed at all regular meetings of the Executive Board and reported on regularly to the company Council, Audit and Finance Committees.

d. Audit Committee
The Audit Committee is required to report to the directors Council on risk management and alert Council Members to any emerging issues. In addition, the committee oversees internal audit, external audit and management as required in its review of internal controls. The committee is therefore well-placed to provide advice to Council on the effectiveness of the internal control system, including the company system for the management of risk.

e. Internal audit programme The Internal Audit Service adopts a risk-based approach to its work with the overall objective of evaluating and improving the effectiveness of the company risk management, internal control and governance processes. This involves conducting an annual review of the adequacy of the company risk management arrangements and a programme of reviews based predominantly on the company assessment of high level risks.

f. External audit External audit provides feedback to the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit.

g. Third party reports From time to time, the use of external consultants may be necessary in specialist areas of company operations. The use of specialist third parties for consulting and reporting can increase the reliability of the internal control system.

8. Annual review of effectiveness
8.1 The Council, through the Audit Committee, is responsible for reviewing the effectiveness of the company risk management, internal control and governance processes, based on information provided by the internal audit service, external audit and the Executive Board.
8.2 The Audit Committee will prepare a report of its review of the effectiveness of the company risk management, control and governance arrangements annually for consideration by Council and the Chief Executive as Accounting Officer.